global
  log         127.0.0.1 local0
  log-send-hostname
  {% if haproxy_chroot %}
  chroot      {{ haproxy_chroot_dir }}
  {% endif %}
  pidfile     /var/run/haproxy.pid
  maxconn     {{ haproxy_maxconn }}
  user        {{ haproxy_user }}
  group       {{ haproxy_group }}
  nbproc      1
  daemon
  tune.ssl.default-dh-param {{ haproxy_dhparam }}
  ssl-default-bind-options no-tls-tickets ssl-min-ver TLSv1.2
  ssl-default-bind-ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH


defaults
    log                     global
    option                  http-ignore-probes
    option                  forwardfor       except 127.0.0.0/8
    stats                   enable
    timeout connect         5000
    timeout client          50000
    timeout server          50000

listen stats
    bind :::8082
    mode http
    stats enable
    stats uri /
    stats realm private
    stats auth {{ haproxy_stats_user }}:{{ haproxy_stats_pass }}

listen letsencrypt-tls01-detect
    mode tcp
    option tcplog

    bind {{ haproxy_bind_addr }}:{{ haproxy_bind_port }}

    tcp-request inspect-delay 5s
    tcp-request content accept if { req.ssl_hello_type 1 }

    use_backend letsencrypt-tls01 if { req.ssl_sni -m end .acme.invalid }
    use_backend ssh             if  { payload(0,7) -m bin 5353482d322e30 }
    use_backend openvpn         if  !{ req.ssl_hello_type 1 } !{ req.len 0 }

    use-server https-server if { req.ssl_hello_type 1  }
    server https-server 127.0.0.1:19443 weight 0 send-proxy

frontend https-in
    mode http
    option httplog
    option forwardfor
    option http-server-close
    option httpclose

    bind 127.0.0.1:19443 ssl crt {{ haproxy_cb_dest_bundle }} accept-proxy

    rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains;\ preload
    capture request header User-agent len 100

    redirect scheme https code 301 if !{ ssl_fc }
    reqadd X-Forwarded-Proto:\ https if { ssl_fc }

    acl host_subsonic hdr(host) -i subsonic.aklaus.ca
    use_backend host_subsonic_be if host_subsonic

backend letsencrypt-tls01
    mode tcp
    option tcplog
    server letsencrypt {{ haproxy_cb_tls_bind_addr }}:{{ haproxy_cb_tls_bind_port }}

listen transmission
    mode tcp
    bind {{ haproxy_bind_addr }}:51413

    server transmission transmission.dmz:51413

listen plex
    mode tcp
    option tcplog
    bind {{ haproxy_bind_addr }}:32400

    server plex plex.dmz:32400

backend host_subsonic_be
    mode                    http
    option                  httplog
    option                  forwardfor # This sets X-Forwarded-For
    rspdel                  ^Strict-Transport-Security:.* #Remove hsts header from backend applications

    server subsonic subsonic.dmz:4040 check

backend ssh
    mode   tcp
    option tcplog
    server ssh shell.dmz:22

backend openvpn
    mode   tcp
    option tcplog
    server openvpn openvpn.dmz:1194
